Tag Archives: honeypot

Cyber War – SecIntel

16 Saturday Jan 2010

Posted by in cyber war

Leave a comment

Tags

, , , , ,

Four days earlier, Tyler found it difficult to distinguish late evening from early morning in the darkness.  Now that he was sleeping on a cot in a makeshift bunk in the data center, he was completely divorced from the notion of days and nights.  Most of his interactions with measured time were in the realm of UTC or Coordinated Universal Time, oftentimes referred to by laymen as the less accurate Greenwich Mean Time (GMT).  Tyler was -5 GMT, or  minus 5 UTC, so when he looked at a data event from a sensor located somewhere in the world and that event’s time was tagged with 7:00 UTC – Tyler understood that to be 2:00 GMT in his local time zone – or 2am EST.  Tyler was sleeping 4 hour stretches in 20 hour intervals; the same as the 5 other cyber warriors of his unit though everyone was staggered by 4 hours making it possible to share a single cot.  Tyler left the cot a few minutes before the next sleeper arrived, used the restroom, and rejoined the others in the war room.  The time was Sunday, 1:00 UTC, locally Saturday 20:00 UTC, or 8pm EST.

SecIntel was briefing his unit on some new dashboards.  Jane was speaking.  Her masculine voice seriously negated the effect of her curves under that uniform.  “On this dashboard, you typically monitor the volume of high severity sensor events from suspect North Korean ISPs.  I understand ya’ll like to cull the command and control channels for source IPs to target.  We’ll we’ve tuned out some of the noise by correlating it with traffic from our honeypots in Taiwan.  The Chinese cyber warriors are known to obfuscate their source IPs by routing their attacks through multiple hops in Taiwan.  This is why we’ve established honeypots there.  We’re not any closer to tracking their sources but we have recognized a 6 hour window between increased reconnaissance traffic through these honeypots and a corresponding increased level of high severity attacks from North Korea.  By analyzing the recon activity we can guestimate the exploits.  This takes us an hour.  That gives you approximately 5 hours to set traps ahead of the attacks.  Instead of merely using this dashboard to cull a pool of IPs to begin tracking, you can now use it to set traps based on the exploit’s anticipated signature without needing to know the source IP ahead of time.  What do ya’ll think about that?”

Tyler felt like a bank robber seeing the vault door left open.  “Man, ya’ll are good.”